Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AAA for OWA and FTP

Status
Not open for further replies.
Lockdown

Lockdown

Technical User
Sep 9, 2002
8
AU
Dear All

Can someone tell me if the following is possible, if so can they also point me in the right direction.

I want to be able to scure an internal OWA and a seperate FTP server by using AAA authentication. Obvioulsy these servers already have there own authentication, but I want to present a second barrier to get to them from the outside.

Many Thanks in advance

Terry
 
Sort by date Sort by votes
I'm working on the same task
AAA-server for inbound FTP
I have the PIX book and it's not to clear to me. The CSACS program is this required or can you just use the PIX and the IAS server?
and I’ve been playing around PIXCRIPT and my books and this is what i have:

aaa-server MYAAAGROUP protocol radius
aaa-server MYAAAGROUP (inside) host NTIASSERVER MYKEY
aaa authentication include ftp inbound MYPUBIP MYFTP MYAAAGROUP
**I would like any in bound FTP Traffic to be auth
**and i can not get this command to inter?!
auth-prompt prompt Please Authenticate to the Firewall
auth-prompt accept OK - you are authenticated.


But no success
Any Pros ?!?!

Thanks
Brock D. Mowry
Hardware Specialist
 
Upvote 0 Downvote
Also in the PIX command Ref book (p.2-3)
"PIX Firewall does not support RADIUS authorizaiton"
What is that

do i have to use TACACS+

I'm lost...
Brock D. Mowry
Hardware Specialist
 
Upvote 0 Downvote
Ok still no luck here is my current config

Filter(config)# sh aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AAAGROUP protocol radius
aaa-server AAAGROUP (inside) host myserver mysecret timeout 10
aaa authentication include ftp outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AAAGROUP

vpdn group msvpn client authentication aaa AAAGROUP




I have the VPN working with the local (PIX)user account
I was using the vpn to test the AAA server
Here is the Error i'm getting

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 2/21/2003
Time: 12:26:43 AM
User: N/A
Computer: myserver
Description:
User USER was denied access.
Fully-Qualified-User-Name = Company.net/Users (Pol)/USER USER
NAS-IP-Address = myserver
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.1.1
NAS-Port-Type = <not present>
NAS-Port = 27
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = MS-CHAPv1
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized authentication method.
Brock D. Mowry
Hardware Specialist
 
Upvote 0 Downvote
Hello All

Thanks for your replies.

I'm using IAS with RADIUS authentication, the PIX intercepts the incoming HTTP traffic and offers me a username and password box. But the radius server doesn't authenticate my username and password, after three attempts it says authorization failed. After careful reading, it would appear that radius once authenticating the user passes your details on to your destination. In my case the OWA server, as my RADIUS server is seperate from my network for secuirty reasons the accounts are different to that of the OWA and hence why I think it fails.

Does anyone know if Virtual Telnet or Virtual HTTP may cure this? I dont see the point of having Radius if the username and password has to be the same as the destination, i want to add security not duplicate it.

I have tried including both user names and password together with the @ sign as recommended in the PIX book but with no success. Has anyone got this to work, i have tried for my login:

radiususer@domain\username
radiuspassword@domain password

Many Thanks

Terry
 
Upvote 0 Downvote
HI.


> Reason = The user attempted to use an unauthorized authentication method
You should go to the IAS console on the server, and modify the profile/policy to accept the PAP authentication protocol, unless you are using a different one.
You should also try to see if the grant dial in permission in Active Directory or Local Users has an effect.

> &quot;PIX Firewall does not support RADIUS authorizaiton&quot;
As far as I understand (didn't try in field), this means that if you are going to use only &quot;aaa authentication&quot; you can go on with RADIUS, but if you need &quot;aaa authorization&quot; then you must use TACACS+.

For the task of authenticating incoming session like discussed here, I think that &quot;aaa authentication&quot; with RADIUS should be fine.
I didn't try this myself so when you get it working or not, please share with us the results.

> Does anyone know if Virtual Telnet or Virtual HTTP may cure this?
I think that it can help both for troubleshooting and also for better security - by forcing the user to know the correct virtual server IP and protocol in addition to credentials.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
731
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
618
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
555
XLNTech1
XLNTech1
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
551
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
476
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top